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Exhibit A 



Analysis of Electronic Evidence from: 



1. Tribune Company server logs 

2. Overplay logs 

3. Email provider records 

4. Internet Service Provider (AT&T) records 

5. Items recovered from Defendant's digital devices; and 

6. Internet Relay Chat logs recovered from search warrant 
Ohio 





On IRC channel #internetfeds: 



• 08/Dec/2010:17:57 Los Angeles Time* AESCracked: It takes a while to grant one username 

permission to every site 

• 08/Dec/2010:17:57 Los Angeles Time AESCracked: Im doing that now. 

• 08/Dec/2010:18:00 Los Angeles Time AESCracked :yes, those are the three cms that this user/pass 

gives access to 

• 08/Dec/2010:18:00 Los Angeles Time AESCrackediuser: anonl234 

• 08/Dec/2010:18:00 Los Angeles Time AESCrackedipass: common2 

• 08/Dec/2010:18:01 Los Angeles Time AESCracked: go fuck some shit up! 

• 08/Dec/2010:18:05 Los Angeles Time sharpie: fuck 

• 08/Dec/2010:18:05 Los Angeles Time sharpie: we're in 

• 08/Dec/2010:18:05 Los Angeles Time sharpie: thanks bro 

• 08/Dec/2010:18:10 Los Angeles Time Sabu: I am looking through these accounts. anonl234 stands 

out like a sore thumb, we need to blend in 
better amongst these other users 

• 08/Dec/2010:18:ll Los Angeles Time AESCracked: if you're on the assembler site, scroll down on 

the left to "user preferences." click on that, then click "edit 
users" when it says "find user," type "anonl234" into 
username then click "find 

*Converted to Los Angeles Time from Eastern Time throughout presentation. 



At the same time, iribune Server Logs show 
IP address 80.74.135.87 is connected 

• 80.74.135.87 - 08/Dec/2010:17:57:04 - 0800] " POST 

/access/savegroups.ldap HTTP/1.1" 200 578 

"https://assembler.tribuneinteractive.com/access/editgroups.ldap?username=anonl234" "Mozilla/5.0 
(Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 





December 8, 2010, is the first appearance of the username 
"anonl234" and the IP address 80.74.135.87 in the Tribune 
Server Logs. 




From Overplay 



• UserName | NASIPAddress | AcctStartTime | AcctStopTime | FramedIPAddress | CallingStationId 

keysjom | 80.74.135.87 | 2010-12-09 01:31:39 | 2010-12-09 03:57:46 | 10.12.0.10 | 75.53.168.11 

• Uses London, United Kingdom local time. 




How Overplay Works 






Time Comparison Between Tribune Server Logs, 

Overpir and IRC Logs 

80.74.135.87- 08/Dec/2010:17:57:04 - 0800] " POST /access/savegroups.ldap HTTP/1.1" 

200 578 "https://assembler.tribuneinteractive.com/access/editgroups.ldap?username=anonl234" "Mozilla/5.0 
(Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 



UserName | NASIPAddre^i ledlPAddress | CallingStationId 

keysjom | 80.74.135.8"7 | 2010-12-09 01:31:39 | 2010-12-09 03:57:46 | ^ 0.10 | 75.53.168.11 



08/Dec/2010:17:57 Los Angeles Time 

08/Dec/2010:17:57 Los Angeles Time 
08/Dec/2010:18:00 Los Angeles Time 

08/Dec/2010:18:00 Los Angeles Time 
08/Dec/2010:18:00 Los Angeles Time 
08/Dec/2010:18:01 Los Angeles Time 



AESCracked: It takes a while to grant one username 

permission to every site 

AESCracked: Im doing that now. 

AESCracked :yes, those are the three cms that this user/pass 

gives access to 

AESCracked:user: anonl234 
AESCracked:pass: common2 
AESCracked: go fuck some shit up! 




According to Overplay, who is keysjom? 



Forename: Matthew 
Surname: Keys 

email: @gmail.com 

Signup Date: 2010-09-05 07:59:56 
Signup IP: 75.53.168.11 
Payment made via Google Checkout UK 




mkeys and IP 75.53.168.11 



At FOX40 News, Matthew Keys was assigned username mkeys. 

mkeys was associated 184 times with IP address 75.53.168.11 
between June 1 , 2010 and October 21, 2010. 

There were only 10 entries where mkeys did not use this IP on 
the server. 




User Agent String 



80.74.135.87- 08/Dec/2010:17:57:04 - 0800] " POST /access/savegroups.ldap HTTP/1.1" 

200 578 "https://assembler.tribuneinteractive.com/access/editgroups.ldap?username=anonl234" "Mozilla/5.0 
(Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 



All mkeys entries had the same user agent serin 






iputer using a Firefox browser. 




Screenshot of Firefox browser in use on an Apple 
computer - found on Keys' Apple laptop 



» « © 



Cmail - Inbox (3) ■ 



l@gmail.com 



stream from mac to apple tv ^ 



Blekko Google News 


FOX KTXL .=!i LA Times .=!> 


CNN SactownMedia Mail 


ProducerMatthew.com 


Omniture Associated Press 


Sac / SF Media ▼ 


UKTV^ 


Read Later HostICan f^ffj^ovable » 


|V] Sactown Media ... O 


^ Adam4Adam - ... O 


Q Where Aren't T... O 


C The 7 Most Sou... O 


^ YouTube - Bro. . O 


\(/ Machu Picchu 
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FOX40 News ■ jO + 



AWeber Email Marketing - 99.34% Delivery Rate-Create & Send Email Newsletters Quickly! $1 Trial - www.AWeber.com 

□ » Archive Report spam Delete Move to ▼ Labels ▼ More actions ▼ Refresh 

□ Gmail Team 



Gmail Calendar Documents Photos Reader Web more t 

Gr^iail 

. . .»^k- 

Mail 

Contacts 
Tasks 

Compose mail 

Inbox (3) 

Buzz 9 
Starred 'fi 
Sent Mail 
Drafts 

Personal 
Travel 
6 morev 



ggmail.com | Settings | Help | Sian out 



Search Mail Search the Web 



Show search options 
Create a filter 



About these ads 

1 - 3 of 3 



Customize Gmail with colors and themes - To spice up your inbox with colors and themes, check out the Themes tab under Settings. Ci 



□ 

□ 



Gmail Team 
Gmail Team 



Import your contacts and old email - You can import your contacts and mail from Yahoo!, Hotmail, AOL, and many other web mail or PO 
Get Gmail on your mobile phone - Access Gmail on your mobile phone The days of needing your computer to get to your inbox are long 



8:26 pm 
8:26 pm 
8:26 pm 



Archive Report spam Delete Move to » Labels t More actions w Refresh 



1 - 3 of 3 



Chat 



Visit settings to save time with keyboard shortcuts! 

You are currently using 0 MB (0%) of your 7557 MB. 

Gmail view: standard | turn on chat | turn nff hig? | older contact manager | basic HTML Learn more 
©2011 Gooole • Terms • Privacy Policv • Buzz Privacy Policy • Gooole Home 



Done 







Emails Sent to FOX40 News 



From Fox Mulder [imiltoibxniulder4099:2\'ahoo.co.uk] 
Sent: Wednesday, December 01, 2010 336 PM 
Subject: Santa's Lap 




Weha\e obtained the email addresses ofse\eral hundred Fox 40 \iewers who ha\e registered in the "iPad Giveaway contest. To show this message is legitimate, some ofthe email addresses are: 

comcast.net 
sbcgbbalnet 
Igaolcom 
l@comcast.net 

vahoo.com 



Feel free to bokthemif) in tout content management system Those, abng with several hundred other names, wfflbe sent a special message within the next few dav's regarding the registration process onFox40.com as 
well as their entry' into the "rigged" contest. 

This notification is a courtesy to you so that you may contact your viewers ahead of our special message. 

Happy Festivus 
fbxmulder4099@yahoo.co.uk 



The first suspicious email received, asserting that an email list had been stolen by 
a person purporting to befoxmulder4099@yahoo.co.uk. 





Do the Tribune Server Logs Show Someone 

Accessing the Email List? 

75.53.168.11 - - [03/Nov/2010:02:38:44 -0700] "GET /rc/edit-newsletter.ui?id=543 HTTP/1.1" 200 3802 

"https://assembler.tribuneinteractive.com/rc/list-newsletter.ui" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) 
Gecko/20100722 Firefox/3.6.8" 

75.53.168.11 - - [03/Nov/2010:02:39:53 -0700] "GET /access/emailpag2.ui?username=testl234 HTTP/1.1" 200 178316 
"https://assembler.tribuneinteractive.com/common/navigation.ui" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) 
Gecko/20100722 Firefox/3.6.8" 

75.53.168.11 - - [03/Nov/2010:02:39:53 -0700] "GET /images/buttons/ok.gif HTTP/1.1" 200 312 

"https://assembler.tribuneinteractive.com/access/emailpags. ui?username=testl234" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en- 
US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

75.53.168.11 - - [03/Nov/2010:02:40:30 -0700] "GET /taxonomy/list-prodaffiliate-topicgalleries.ui HTTP/1.1" 200 63795 
"https://assembler.tribuneinteractive.com/common/navigation.ui" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) 
Gecko/20100722 Firefox/3.6.8" 

75.53.168.11 -- [03/Nov/2010:02:41:07 -0700] "GET /content/list-xmltemplate.ui HTTP/1.1" 200 28689 

"https://assembler.tribuneinteractive.com/common/navigation.ui" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) 
Gecko/20100722 Firefox/3.6.8" 

75.53.168.11 -- [03/Nov/2010:02:41:20 -0700] "GET /taxonomy/search-pa-topics.ui?productaffiliate=ktxl HTTP/1.1" 200 24523 
"https://assembler.tribuneinteractive.com/taxonomy/list-prodaffiliate-topicgalleries.ui" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en- 
US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 



These are log entries fronn November 3, 2010, showing references to 
"emailpage'' and "ktxl" from an IP associated with mkeys, and the mkeys 
user agent string. The associated username is testl234. 




Accessing the Email List?, cont'd 



75.53.168.11 -- [22/Nov/2010:03:02:36 -0800] "GET /access/emailpage.ui?username=test5678 HTTP/1.1" 200 
187976 "https://assembler.tribuneinteractive.com/common/navigation.ui" "Mozilla/5.0 (Macintosh; U; Intel 
Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

75.53.168.11 - - [22/Nov/2010:03:02:36 -0800] "GET /images/buttons/leftarrow.gif HTTP/1.1" 200 120 
"https://assembler.tribuneinteractive. com/access/email page. ui?username=test5678" "Mozilla/5.0 (Macintosh; 

U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

75.53.168.11 -- [22/Nov/2010:03:02:37 -0800] "GET /access/ldap/user/find.jsp HTTP/1.1" 200 3172 
"https://assembler.tribuneinteractive.com/common/navigation.ui" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 
10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

75.53.168.11 -- [22/Nov/2010:03:02:37 -0800] "GET /images/buttons/ok.gif HTTP/1.1" 200 312 
"https://assembler.tribuneinteractive.com/access/emailpage. ui?username=test5678" "Mozilla/5.0 (Macintosh; 

U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

75.53.168.11 -- [22/Nov/2010:03:02:37 -0800] "GET /images/buttons/rightarrow.gif HTTP/1.1" 200 120 
"https://assembler.tribuneinteractive.com/access/emailpage.ui?username=test5678" "Mozilla/5.0 (Macintosh; 

U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

75.53.168.11 -- [22/Nov/2010:03:02:43 -0800] "POST /access/ldap/user/finduser.ldap HTTP/1.1" 200 3478 
"https://assembler.tribuneinteractive.com/access/ldap/user/find.jsp" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 
10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 



These are more log entries showing references to "emailpage" from the IP 
associated with mkeys, and the mkeys user agent string. The date is 
November 22, 2010. The associated username is test5678. 




What IP addresses are related to getting 

''email page?"' 

75.53.168.11 -- [03/Nov/2010:02:39:53 -0700] "GET /access/emailpage.ui?username=testl234 HTTP/1.1" 200 178316 
"https://assembler.tribuneinteractive.com/common/navigation.ui" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; 
rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

75.53.168.11 - - [03/Nov/2010:02:39:53 -0700] "GET /images/buttons/ok.gif HTTP/1.1" 200 312 

"https://assembler.tribuneinteractive.com/access/emailpage. ui?username=testl234" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 
10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

75.53.168.11 -- [22/Nov/2010:03:02:36 -0800] "GET /access/emailpage.ui?username=test5678 HTTP/1.1" 200 187976 
"https://assembler.tribuneinteractive.com/common/navigation.ui" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; 
rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

75.53.168.11 - - [22/Nov/2010:03:02:36 -0800] "GET /images/buttons/leftarrow.gif HTTP/1.1" 200 120 

"https://assembler.tribuneinteractive.com/access/emailpage. ui?username=test5678" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 
10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

75.53.168.11 - - [22/Nov/2010:03:02:37 -0800] "GET /images/buttons/ok.gif HTTP/1.1" 200 312 

"https://assembler.tribuneinteractive.com/access/emailpage. ui?username=test5678" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 
10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

75.53.168.11 -- [22/Nov/2010:03:02:37 -0800] "GET /images/buttons/rightarrow.gif HTTP/1.1" 200 120 

"https://assembler.tribuneinteractive.com/access/emailpage. ui?username=test5678" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 
10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 



A search of the entire database for the term "emailpage" between 
June 7, 2010 and December 1, 2010 shows only one IP address - 
75.53.168.11. 




Only one IP address in the database appeared to take the ema 

database belonging to Fox40 News. 



IP address 75.53.168.11 - which was previously associated 
with Matthew Keys. 




Foxmulder4099 emails KTXL - FOX40 News 



From Fox Mulder [imiltoibxniulder4099:2\'ahoo.co.uk] 
Sent: Wednesday, December 01, 2010 336 PM 
Subject: Santa's Lap 



Weha\e obtained the email addresses ofse\eral hundred Fox 40 \iewers who ha\e registered in the "iPad Giveaway contest. To show this message is legitimate, some ofthe email addresses are: 




Feel free to look them if) in tout content management system. Those, abng with several hundred other names, wfflbe sent a special message within the next few dal's regarding the registration process onFox40.com as 
well as their entry' into the "rigged" contest. 

This notification is a courtesy to you so that you may contact your viewers ahead of our special message. 

Happy Festivus 
fbxmulder4099 ’Syahoo.co.uk 



The first suspicious email received, asserting an email list had been stolen by 
a person purporting to befoxmulder4099@yahoo.co.uk. 






IP address 91.214.168.172 was also used to access the 

foxmulder4009 email account 



• According to Yahoo! Inc., IP address 91.214.168.172 logged 
into its email server to access the foxmulder4009 account on: 

• December 3, 2010 10:47 PM 

• December 4, 2010 1:45 AM 

• December 4, 2010 5:35 AM 

• December 4, 2010 4:28 PM 

• December 5, 2010 2:07 AM 

• December 5, 2010 8:46 PM 

• December 6, 2010 1:53 AM 

• December 6, 2010 6:48 AM 




IP address 91.214.168.172 alternates between logging into the Tribune server and the 

foxmulder4099 email account. 



• December 3, 2010 22:47 PM - IP 91.214.168.172 logs into foxmulder4099 e-mail account. 

• December 4, 2010 1:45 AM- IP 91.214.168.172 logs into foxmulder4099 e-mail account. 

• 91.214.168.172 - - [04/Dec/2010:02:41:41 -0800] "GET / HTTP/1.1" 200 1781 "-" "Mozilla/5.0 (Macintosh; 
U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

• December 4, 2010 5:35 AM- IP 91.214.168.172 logs into foxmulder4099 e-mail account. 

• December 4, 2010 ^^^IP 91.214.168.172 logs into foxmulder4099 e-mail account. 

• 91.214.168.172 - - [04/Dec/2010|®^^800] "GET / HTTP/1.1" 200 1781 "-" "Mozilla/5.0 (Macintosh; 
U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

• December 5, 2010 2:07 AM- IP 91.214.168.172 logs into foxmulder4099 e-mail account. 

• December 5, 2010 20:46 PM- IP 91.214.168.172 logs into foxmulder4099 e-mail account. 

• 91.214.168.172 - - [05/Dec/2010:21:07:00 -0800] "GET / HTTP/1.1" 200 1781 "-" "Mozilla/5.0 (Macintosh; 
U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

• December 6, 2010 1:53 AM- IP 91.214.168.172 logs into foxmulder4099 e-mail account. 

• 91.214.168.172 - - [06/Dec/2010:04:37:49 -0800] "GET /common/welcome.jsp HTTP/1.1" 200 1325 
"https://assembler.tribuneinteractive.com/access/loginmodule.ldap" "Mozilla/5.0 (Macintosh; U; Intel 
Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

• December 6, 2010 6:48 AM- IP 91.214.168.172 logs into foxmulder4099 e-mail account. 

• 91.214.168.172 - - [06/Dec/2010:21:18:09 -0800] "GET /stylesheets/ui.css HTTP/1.1" 200 7252 
"https://assembler.tribuneinteractive.com/" "Mozilla/5.0 (Macintosh; U; Intel Mac OSX 10.6; en-US; 
rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 



Observation 



IP 91.214.168.172 was used to access both the Tribune server 
and the foxmulder4099 email account, on one occasion 
accessing both within less than four minutes. 




User Agent String is Same as mkeys 

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; 
rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 




IP address 91.214.168.172 was used by keysjom 



According to Yahoo, IP address 91.214.168.172 logged into its email server. 
According to Overplay this IP was used by keysjom. 

There is a time difference of about 15 minutes between the two computer systems* 



December 
keysjom | 


4, 2010 

91.214.168.172 


06:47 AM -In Range with 28 MIN TO SPARE 
1 2010-12-0406:29:44 | 2010-12-04 07:15:17 | 10.10.0.234 


1 69.106.226.212 


December 


4, 2010 


07:04 AM- in Range with 11 MIN TO 


SPARE or 14 MIN EARLY 


keysjom | 


91.214.168.172 


1 2010-12-0406:29:44 | 2010-12-04 07:15:17 | 


10.10.0.234 


1 69.106.226.212 


keysjom | 


91.214.168.172 


2010-12-0407:18:36 | 2010-12-04 07:25:01 | 


10.10.0.234 


69.106.226.212 


December 
keysjom | 


4, 2010 

91.214.168.172 


09:45 AM - 10 MIN EARLY 
1 2010-12-0409:55:00 | 2010-12-0410:46:11 | 


10.10.0.234 


1 69.106.226.212 


December 
keysjom | 


4, 2010 

91.214.168.172 


13: 35 PM -12 MIN EARLY 
1 2010-12-0413:47:49 | 2010-12-0414:01:09 | 


10.10.0.234 


1 69.106.226.212 


December 
keysjom | 


5, 2010 

91.214.168.172 


00: 28 AM -15 MIN EARLY 
1 2010-12-05 00:43:06 | 2010-12-05 00:57:58 | 


10.10.0.234 


1 69.106.226.212 


December 
keysjom | 


5, 2010 

91.214.168.172 


10 07 AM -15 MIN EARLY 
1 2010-12-0510:22:09 | 2010-12-05 10:27:44 | 


10.10.0.234 


1 69.106.226.212 


December 
keysjom | 


6, 2010 

91.214.168.172 


04 46 AM -2 MIN EARLY 
1 2010-12-06 04:48:48 | 2010-12-06 05:05:41 | 


10.10.0.234 


1 75.53.168.11 


December 
keysjom | 


6, 2010 

91.214.168.172 


09:53 AM -12 MIN EARLY 
1 2010-12-0610:05:49 | 2010-12-0610:13:35 | 


10.10.0.234 


1 75.53.168.11 


December 
keysjom | 


6, 2010 

91.214.168.172 


14 48 PM- -13 MIN EARLY 
1 2010-12-0615:01:06 | 2010-12-0615:07:31 | 


10.10.0.234 


1 75.53.168.11 



* If 15 min is subtracted for each log entry of Overplay computer 91.214.168.172, the times match. So, for this IP the clock 
should be subtracted by 15 minutes. 




The e-maiier used different emaii addresses, 
including cancerman4099@yahoo.co.uk. 



From CaiKer Man <cancemiai>4099@v^ihoo.co.uk> 
Date: December 2. 2010 102437 PM PST 
Subject: the million dollar cash grab scam 



THE FOLLOWTNG MESSAGE WILL BE SENT AT MTONIGHT TONIGHT 

Earlier this week, you registered to win an iPad on FOX40.COM in the station's iPad Festhus Giveaway. You may have received an email asking you to watch out fcr a "very inqjortant, very special message." 

This is just one in a series of messages you'll receive over the next few daw. Do not be alarmed, tout email address will not be sold by us to any- third-parties, and we don't have any personal identifimg infcirmation WTiat 
Fox 40 or another company chooses to do with your infciraiation is to them 

The chaiKes of you winning an iPad are slim to nil The contests at Fox 40 are not "rigged" per se, but diey are very poorK' handled. 

Take, for exan^tle, Fox40's "SI million cash grab" contest held earlier this year as part of a ratings stunt at Fox 40 and several other Tribune- owned stations. The winner? One Dominic Farinha, a former politician who sal 

on the Patterson City Council Go ahead, google his name. What more deserving person ft>r a Fox station to award nearh’ S8.000 to than a feiimer politician? 

How did Farinha get to the SI million pool of cash? Farinha had to be one of several dozen finalist who landed a spot as the 40th caller to a special hotline established by Fox 40. A staflFmember at Fox 40 was in charge 
of "opening the phone lines" as soon as the number flashed on die screen. But not everyone saw the numher at the same time. 

The F ox 40 stafer was usually watching a monitor tuned to Comcast cable channel 8, then the in-house television system fiir the station Anyone watching on DirecTV, Dish N etw ork, AT&T U\’erse or digital television 
dirough an antenna wouldn't see that number for another five to fifieen seconds, depending on the system By the time those vievvers saw the number, the winner had akeady been declared. 

In fiict, a Fox 40 producer was in charge of keeping track of every 40th caller "qualifier," and one question they had to ask the qualifier was which method a winner was watching television The majority of qualifiers said 
Comcast. 

Win ? Aiwone watchingonanabgComcast no doubt won the prize, because they had the advantage ofseeing the number at the exact same time as the Fox 40 producer. 

But wfa' w ould F ox 40 choose a Comcast system as their method to monitor when a phone number would pop up on a screen? W'ere they deliberately giving Comcast customers an advantage over others because 
Comcast — like Cache Creek Casino, Siherado, and Ikea — pour more money into Fox 40 television than any other advertiser in the Sacramento area? 

Fox40's close-knit relationshp with Comcast meant anabg cable subscribers saw an upper-hand at a chance to win SI million, while other subscribers were lefiat a disadvantage. 

So what does this mean abut the station's handling of the pad gheavvay to coincide with the fictitious holiday F esthus? Look for anoflier message from us soon 




Cancer Man sent another email to Fox 40 customers 






One e-mail stated ''watch yourselves fox 40" and 



referenced Matthew Keys 



Message0116 

Subject; |Re: Donating 
From: jCancer Man 
Date: |l2/3/2010 43205 PM 
To: [ Fmail 

Message Bods 

ssatch TOurseh^s fisx 40. 



From: Email Center <EmailCenter@emailcancer-org> 

To: caiKeniiaii4099@yahoo.co.uk 
Sent:Fri 3 December. 2010 16:28:50 
Subject: Donating 

Thank you for contacting the American Cancer Society. Your question ssill be ansssered ssithinS-S business days. If you need immediate information, please call 1-800-ACS-2345. 

This ssas an online inquiry about: 

Donating 

MESSAGE: 

I ssould lose to ghe all that I can to make cp for my insensitieity to those ssbo base been diagnosed and their fomilies coping throu^ this desastating disease. 

EMAIL: 

cancennan4099@yahDO.co.uk 
Would like to be contacted by email? yes 

YOUR CONTACT INFORMATION: 

NAME: 

Matdiess" Keys 

ADDRESS: 

Sacramento California 

PHONE: 

EXTENSION: 

Thank you for sisiting cancer.org. 



Another email from Cancer Man mentioned "a 
determined insider" and "going rogue" 





Mess^l39 


Subject: 


Going Rogue 


From: 


Cancer Man 


Date: 


12/5/2010 43628 AM 


Message Bo^* 


There is a new ur^ncy to addressing information securit>* inside corporations and a reminder of its limits wiien confronted \\ith a determined insider. 

At risk are coinjanies’ secrets - e- mails, documents, databases and inlemal websites that are thou^ to be locked to the outside u'orld. Con^anies create records of e\^’ decision they make. 

Although it is easy, technobgicalK', to limit ^^bo in a conpariv’ sees specific tvpes of information, mai:^.' conpanies lea\'e access too open. Despite the best of intentions, mistakes happen and settings can become 
inadv^ent^ broad, especialK' as netwoiks grow more con^lex uith reorganizations and acquisitbns. 

Evwi\\1ien security' technobg\' is doing its job, it is a poor match if someone with bgitimate access decides to go rogue <http: ea\\Tkyedia.orgwikiGoin^Rogue:_An_Amerk:an_Life> . 








Who was cancerman4099? 



• On December 11 , 2010 at 19:25 GMT, IP address 
91.214.168.172 logged into the email account 
cancerman4099@yahoo.co.uk. 

• Overplay Server IP address 91.214.168.172 was in 
use by IP address 75.53.171.204 at that time. 



I keysjom | 91.214.168.172 | 2010-12 



)-12-ll 20:25:55 | 75.53.171.204* 



AT&T customer 



@att.net 



RC Messags 



BBNMS.diaconiieclport.piiod653.110428031922.972H 04/28/2011 05:19:22 100 OK Port Deleted 



DHCP.niod.pnode2.101208201317.3S47 



12-08.'2010 22:13:17 100 Ok 



ban: 103631274 [H] 

port: SCRQCA6Z.-01CAB101A-1.M-37 [HI 

ban:103G31274[Hj 
sbognfttxsssodsteduid: 
sbognfttxdhcprelaysddress: 75.53.168.2 [H] 
ip: 75.53.171.204 [H] 
rg: OOD03E-160913016380|H} 
siteid: 010462766 [H] 
cifCuit:A6/MCXX/606260//PT[Hl 
port: SCRQCAGZ-01CAB101A-1-1-1-37 [H] 



According to AT&X its customer was using IP 
address 75.53.171.204 from 12/8/2010 to 
4/28/2011. 






Zip V 
95834 



Legal Entity: 



Member ID: 



PCOO 



Saitjliit 



Typ^^^^^^Statu^^^^^THouse^jmbe^ndStrnTNam^^Tot^^ 



Service 



Active 



3381 SHADOW TREE DR 



SAC 




Matthew Keys was assigned this IP address at 
his home in Sacramento. 







Summary 



On December 11, 2010, Matthew Keys's residential AT&T IP 
address connected to Overplay and was assigned IP address 
91.214.168.172. The Overplay IP address 91.214.168.172 was 
then used to check the cancerman4099@yahoo.co.uk email 
account. 




What Happened to Samantha Cohen's account, 



"sscholbrock?" 



Samantha Cohen was an employee at FOX40 News. She used 
account "sschol brock." 



Between December 6 and 8, 2010, she had trouble accessing 
her account. Her password did not seem to be working even 
after it was changed. 




Samantha Cohen's account, cont'd. 



This entry from the early morning of December 6, 2010, shows 
the account being edited. 



91.214.168.172 - - [06/Dec/2010:04:38:17 -0800] "POST/access/saveuser.ldap HTTP/1.1" 200 584 

"https://assembler.tribuneinteractive.com/access/ldap/user/edituser.ldap?username=sscholbrock" "Mozilla/5.0 (Macintosh; U; Intel 
Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Fi refox/3.6.8" 

About four hours later, Cohen (sscholbrock) reported she was 
trying to log in and her password did not work. She asked for it 
to be reset and it was. 




Samantha Cohen's account, cont'd. 

Then on December 8, 2010, the account is edited again. 



91.214.168.172 - - [08/Dec/2010:09:08:37 -0800] "POST/access/saveuser.ldap HTTP/1.1" 200 584 

"https://assembler.tribuneinteractive.com/access/ldap/user/edituser.ldap?username=sscholbrock" "Mozilla/5.0 (Macintosh; U; Intel 
Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Fi refox/3.6.8" 

About two hours later, Cohen (sscholbrock) reported her new 
password had stopped working and asked that it be reset. It 
was. A new account, sscholbrock2 was also created. 




Samantha Cohen's account, cont'd 



Then on December 14, 2010, both accounts are edited. 

91.214.168.172 -- [14/Dec/2010:07:44:56 -0800] "POST/access/saveuser.ldap HTTP/1.1" 200 6652 

"https://assembler.tribuneinteractive.com/access/ldap/user/edituser.ldap?username=sscholbrock2" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 
10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

91.214.168.172 -- [14/Dec/2010:07:45:01 -0800] "POST/access/saveuser.ldap HTTP/1.1" 200 7576 

"https://assembler.tribuneinteractive.com/access/ldap/user/edituserldap?username=sscholbrock" "Mozilla/5.0 (Macintosh; U; Intel Mac OSX 
10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

About two hours later, Cohen reported that her new account 
and old account were no longer accepting her log on 
information. 




In summary, 



On three occasions, the user from IP address 91.214.168.172 
made changes to Cohen's accounts which resulted in her being 
locked out. 



In each instance, the mkeys user agent string was present. 




After LA Times is Attacked, Keys's AT&T IP address 



continues to appear in the Tribune Server logs 




IP address 75.53.171.204, appears in the Tribune 

Server Logs in January 2011 

• 75.53.171.204 - - [02/Jan/2011:05:02:59 -0800] "GET / HTTP/1.1" 200 1781 "-" "Mozilla/5.0 (Macintosh; U; 

Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

• 75.53.171.204 - - [02/Jan/2011:05:02:59 -0800] "GET /stylesheets/ui.css HTTP/1.1" 200 7252 
"https://assembler.tribuneinteractive.com/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; 
rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

• 75.53.171.204 - - [02/Jan/2011:05:03:00 -0800] "GET /favicon. ico HTTP/1.1" 200 3574 "-" "Mozilla/5.0 
(Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

• 75.53.171.204 - - [02/Jan/2011:05:03:00 -0800] "GET /images/buttons/login.gif HTTP/1.1" 200 334 
"https://assembler.tribuneinteractive.com/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; 
rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

• 75.53.171.204 - - [02/Jan/2011:05:03:00 -0800] "GET /images/ti.jpeg HTTP/1.1" 200 17924 
"https://assembler.tribuneinteractive.com/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; 
rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

• 75.53.171.204 - - [02/Jan/2011:05:03:03 -0800] "GET /favicon. ico HTTP/1.1" 200 3574 "-" "Mozilla/5.0 
(Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

• 75.53.171.204 - - [02/Jan/2011:05:03:04 -0800] "POST /access/loginmodule.ldap HTTP/1.1" 200 1859 
"https://assembler.tribuneinteractive.com/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; 
rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

• 75.53.171.204 - - [02/Jan/2011:05:03:07 -0800] "GET /favicon. ico HTTP/1.1" 200 3574 "-" "Mozilla/5.0 
(Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 




IP addresses 75.53.171.204 and 75.53.168.11 



"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; 
rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" - still containing 
the mkeys user agent string 




Where Else Do We See IP address /‘b. 53. 171.204? 



From at least December 12 , 2010 through about January 5, 
2011, IP address 75.53.171.204 is associated with the 
nickname AESCracked on IRC Channels. 




Here are some samples 



Dec 12 17:31:02 * *** Notice -- Client connecting at lexus.anonops.eu: AESCracked (AESCracked@75-53-171-204.lightspeed.nscrca.sbcglobal.net) 

Dec 13 03:09:48 * *** Notice - Client exiting at fancy.anonops-irc.com: AESCrackerlAESCracker@75-53-171-204.lightspeed.nscrca.sbcglobal.net (Ping timeout) 

Dec 15 13:21:53 * *** Notice - Client connecting at osiris.anonops.net: AESCracked (AESCracked@75-53-171-204.lightspeed.nscrca.sbcglobal.net) 

Dec 27 21:19:45 * *** Notice - Client connecting at irc.anonops.co.uk: AESCracked (AESCracked@75.53.171.204) 



Jan 04 14:37:56 <AESCracked> I cannot get in to internetfeds :( 

Jan 04 14:37:58 <AESCracked> help me for raeps plz. 

Jan 04 14:38:09 * [AESCracked] (~AESCracke(@my.vhost): AESCracked 
Jan 04 14:38:09 * [AESCracked] is using modes +iwrxt 

Jan 04 14:38:09 * [AESCracked] is connecting from *(@75-53-171-204.lightspeed. nscrca.sbcglobal.net 75.53.171.204 



Jan 04 21:52:39 <Global> NickServ: AESCracked ! 
Jan 04 21:52:44 <Global> 



ightspeed.nscrca.sbcglobal.net identified for nick AESCracked 




Search Warrant Results 



Matthew Keys's computer had this on it: 



It is a screen shot containing items from the Tribune 
Company Content Management Server 



trb.tli.o2.ktxl.custsefvice 

trb.tii.o2.ktxl.edit 

trb.tli.o2.ktxl.delete 

trb.tll.o2 

trb.tll.o2.ktxl.edlt.submlt 

trb.tli.httDd.o2 

trb.tll.o2.ktxl.confia 

trb.til.o2.ktxl.convevor 

trb.tli.o2.ktxl.automation 

trb.tii.o2.ktxl. layout 

trb.tll.o2.kbcl.theme 





Here are some details about the screenshot. 



trb.tii.o2.ktxl.custsefvice 

trb.tii.o2.ktxl.edit 

trb.tii.o2.ktxl.delete 

trb.tii.o2 

trb.til.o2.ktxl.edit.submit 

trb.tii.httDd.o2 

trb.tii.o2.kb(l.confiQ 

trb.tii.o2.ktel. conveyor 

trb.tii.o2.ktxl.automation 

trb.tii.o2.ktxl. layout 

trb.tii.o2.ktxl.theme 



The file was called: 



files\Screen shot 2010-1 2-1 1 at 1 1 .32.28 AM. png 



The file was created on: 



Created Date 



12/11/2010 11:32:33 AM 






What do the Tribune Server Logs from this date and 



time contain? 



• IP address 91.214.168.172 was logged on with account 
testl234. 



• 91.214.168.172 - - [ll/Dec/2010:ll:32:26 -0800] "GET /access/Ida jser/edituser.ldap?username=testl234 HTTP/1.1" 200 7363 

"https://assembler.tribuneinteractive.com/access/Idap/user/finuuser.ldap" "Mozilla/5.0 (fylacintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) 
Gecko/20100722 Firefox/3.6.8" 

— The User Agent String was the same as before. 



• From Overplay: 

• keysjom | 91.214.168.172 | 2U1 12-11 



10.10.0.234 I 75.53.171.204 




Summary 

The image depicted data that came from the Tribune Server on 
December 11, 2010. 

The image was obtained by the user of IP address 
91.214.168.172. 

IP address 91.214.168.172 was assigned to Matthew Keys 
(keysjom) who accessed it from his home in Sacramento. 

The image was found on Matthew Keys's computer. 




Matthew Keys's computer had this on it: 





NATION 



LOCAL U.S. WORLD BUSINESS SPORTS ENTERTAINMENT HEALTH U\TNG 



IN THE NEWS: RICHARD HOLBROOKE I JLTJAN ASSANGE I HEALTHCARE REFORM I TAX CUTS I 

Pressure builds in House to elect CHIPPY 1337 

House Democratic leader Steny Hoyer sees 'very' good things' in the deal cut which ^vill see 
uber skid Chippy 1337 take his rightful place, as head of the Senate, reluctant House 

By CHIPPYS NO 1 FAN, Tribune Washington Bureau 
December 14, 2010 \ 10:04 u-m. 

H E-mail Q Print Text Size 

li Like D W likes. Sign Up to see what your friends like. 



Democrats told to SUCK IT UP 

Share 

REL\TED 

Tax cuts will pass despite 
Democratic uprising, Obama 






The picture was created on Matthew Keys 

computer: 



The time stamps show 
this picture was created on 
December 15, 2010 at 4:32 AM 
Los Angeles Time. 



Created Date 1 2/1 5/201 0 4:32:46 AM 

Modified Date 1 2/1 5/2010 4:32:46 AM 



Antjele^ Kxmt$ 



NATION 



LOCAL U.S. WORLD BUSINESS SPORTS ENTERTAINMENT HEALTH UVING 



DC THE NEWS: RICH.ARD HOLBROOKE I JULIAN ASS.'\NGE I HEALTHCARE REFORM I TAXCLTS I 

Pressure builds in House to elect CHIPPY 1337 

House Democratic leader Steny Ho>-er sees 'very good things' in the deal cut which will see 
uber sldd Chippy 1337 take his rightful place, as head of the Senate, reluctant House 
Democrats told to SUCK IT UP 



Tax cuts will pass despite 
Democratic uprising, Obama 



By CHIPPYS NO 1 FAN, Tribune ^Vashington Bureau 

December 14, goto 1 40:04 a.m. 

Q E-mail Q Print -w Text Size 
l^Llce O trikes- Sign Up to see whst your friends ■«. 



What else is happening at this time? 






As this Screenshot from Keys's 
AESCracked Was Chatting 



Computer Shows, 
With Sharpie 



« o 



sharpie (67.23.234.51) 



( A* ▼ ] 



Emoticons Send File Encoding 



(Q Search Messages 



I OperationPayback 
364 members 

I internetfeds 
10 members 



SiteBot 

AESCracked 



glomexiaway 



FBI Note: On 8/13/2015, went to 
website. 



sharpie: httD://imQur.com/ZhzUS.ipQ 

sharpie: I taught myself the dystem using ngarcia FBI NotCl OH 8/13/2015, W6Ht tO 

sharpie: -system website. 

AESCracked: LOL 

sharpie: and had a whole front page layout made for the Chicago tribune PiCture ni3tches preVIOUS Slide. 
AESCracked: Is it live? 

sharpie: but dam there sysadmins were good 

sharpie: nah they killed me 

sharpie: that was up for 1/2 hr 

AESCracked: Screenshot? 

sharpie: no 

AESCracked: Sucks 

sharpie: the I menat the LA Times was up for 1/2 hr 
AESCracked: I can grant you access again 
sharpie: that would be great 
sharpie: I know ho to use it now 
AESCracked: Standby 

AESCracked: Have to VPN to cover my tracks. 

AESCracked: Oh I already am, nvm 

sharpie: and I see that you can do a bunch of different layouts on different papers 
AESCracked: damn they cut off my account 
sharpie: and have them all go live at the same time 
AESCracked: hang on. 

AESCracked: Nope, I'm locked out for good, 
sharpie: fuck 
AESCracked: :( 



OA 3 Sam 




What else was happening at this time? 



Vltw cla»«ic v»r»lon | View full stf 



Co5AniQclcs?!^imc5 I 

Cloudy 55*F More 

:ja 



hi 



Cos Anflclcs Siimes 

Download the ap 



Top Stories 



Pressure builds In House to olect CHIPPY 1S37 

By CHIPPYS NO 1 FAN. Tribune Washington Bureau 
Story posted 2010.12.14 at 10:04 AM PST 
Reporting from Washington- After the Senate ovenwhelming 
voted to advance the tax-cuts package. House Majority Leader 
Steny Hoyer acknowledged Tuesday the urgency in passing the 
legislation to avoid a tax hike on Jan. 1 . 

The bill could clear the Senate late Tuesday or early Wednesday, 
pressuring reluctant House Democrats to act on the deal the 
White House struck with the GOP. The S658-biilion package 
extends tax cuts from the George W. Bush administration for two 
years and continues unemployment benefits for jobless 
Americans through 2011. 

The vote in the Senate indicates the urgency." Hoyer said of 
Monday’s 83-15 procedural vote in the Senate. "When you kx>k at 
this plan, there are some very good things in it" 

House Democrats will meet behind dosed doors Tuesday 
evening to strategize on the package that many representatives 
oppose, saying it ^vors the wealthy. Democrats particularly want 
to amend an estate-tax provision that exempts n>ultimillionaires 
from the tax. 

Hoyer said "significant concerns" remain about the deal. 

Yet with tax cuts set to expire at year's end. lawmakers are 
increasingly aware there is limited time to alter the bill and avoid 
having the legislation pingpong between the House and Senate in 
the final days of the congressional session. 



Created Date 
Modified Date 



12/15/2010 4:45:34 AM 
12/15/2010 4:45:34 AM 




This picture was also created a few minutes later. 



Democrats would like to press forward on other legislative 
priorities before relinquishing their majority in the House, 
induding a repeal of the military's ban on openly gay personnel 






Document 67-1 Filed 09/09/ 



The chat continues 



« o o 



sharpie (67.23.234.51) 



©. ill 



Search Messages ^ 



Style Emoticons Send File 



Mark Clear 



Search 



OperationPayback 
^ 364 members 

internetfeds 

^ 10 members 

1 . Chronom 
■A' SiteBot 
> 2 < AESC racked 
^ Avunit 
Dwaan 
evilworks 
*1.‘ glomexiaway 
>A< Shiva 
xS 

1 . Chitty 






sharpie 

67.23^34.51 



' uicf lui uii tity blliiuiii — ^ 






sharpie: and have them all go live at the same time 


04; 34am 




AESCracked: hang on. 


04:34am 




AESCracked: Nope. I'm locked out for good. 


04:34am 




sharpie: fuck 


04:35am 




AESCracked: :( 


04:3Sam 




sharpie; yeah 


04:35am 




AESCracked: Let me see if 1 can find some other users/pass 1 created while there. 


04:35am 




sharpie: all those other accounts were dead in miniutes and they found ngarcia damn quick 


04:35am 




sharpie: 1 got to give props to the stsadmins 


04:35am 




sharpie: 'sysadmins 


04:35am 




AESCracked: LOL. 


04; 36am 


r\ 


sharpie: anyjoy? 


04;38am 




AESCracked: Not yet 


04;38am 




sharpie: kay bro 


04;38am 




AESCracked: Will check a little later for sure 


04;38am 


1 


sharpie: afk S mins anyway 


04:38am 


1 


sharpie: cool 


04:38am 




sharpie: :0 


04:38am 


/■ 


AESCracked: 1 have a hard drive full of Tribune crap, but it's in another location. 


04;38am 


V 

(■ 


sharpie; thanks 


04:38am 


'1 


AESCracked: Sure thing 


04:39am 




sharpie: that was such a buzz having my edit 


04:B9am 


(■ 


sharpie: on the LA Times 


04:39am 


(■ 


AESCracked: Nice 


04;39am 


f 


sharpie: 1 could have done so much more if I'd known thr interface at the start 


04; 39am 


J 

▲ 


sharpie: it's both easy and complicated 


04:39am ' 


▼ 


i 1 





From the Tribune logs at this same time... 



|91.214.168.172 


- 


- 


[15/Dec/2010:04:33:53 


-0800] 


"GET 


l91.214.168.172 


- 


- 


[15/Dec/2010:04:33:56 


-0800] 


"GET 


l91.214.168.172 


- 


- 


[15/Dec/2010:04:34:12 


-0800] 


"POS 


j 9 i. 2 i 4 .l 68 .i 72 


- 


- 


[15/Dec/2010:04:34:15 


-0800] 


"GET 


}91.214.168.172 


- 


- 


[15/Dec/2010:04:34:37 


-0800] 


"POS 


l91.214.168.172 


- 


- 


[15/Dec/2010:04:34:40 


-0800] 


"GET 


l91.214.168.172 


- 


- 


[15/Dec/2010:04:34:41 


-0800] 


"POS 


l91.214.168.172 


- 


- 


[15/Dec/2010:04:34:44 


-0800] 


"POS 


I91.214.168.172 


- 


- 


[15/Dec/2010:04:34:47 


-0800] 


"POS 



/ HTTP/1.1" 200 1781 "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

/favicon.ico HTTP/1.1" 200 3574 "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

T /access/loginmodule.ldap HTTP/1.1" 200 1859 "https://assembler.tribuneinteractive.com/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Fi| 
/favicon.ico HTTP/1.1" 200 3574 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

T /access/loginmodule.ldap HTTP/1.1" 200 1859 "https://assembler.tribuneinteractive.com/access/loginmodule.ldap" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:l| 
/favicon.ico HTTP/1.1" 200 3574 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 

T /access/loginmodule.ldap HTTP/1.1" 200 1859 "https://assembler.tribuneinteractive.com/access/loginmodule.ldap" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:l| 
T /access/loginmodule.ldap HTTP/1.1" 200 1859 "https://assembler.tribuneinteractive.com/access/loginmodule.ldap" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:ll 
T /access/lqg[nmodule.ld^ HTTP/1.1" 200 1859 "ht^s://assembler.tribuneinteractive.com/access/lojinmodule.lda_p" "Mozilla/5.0 j_Macintosh; U; Intel Mac OS X 10.6; en-US; rv:ll 



From #internetfeds IRC Channel 



• Dec 20 17:13:19 <kayla> :o? 

• Dec 20 17:13:28 <Chronom> :0 

• Dec 20 17:14:15 <AESCracked> o.O 

• Dec 20 17:14:46 <Chronom> Still sellin' those emails, AESCracked? 

• Dec 20 17:14:57 <AESCracked> I haven't sold an e-mail list to 
anyone dude. 

• Dec 20 17:15:16 <Avunit> Whos in the market for e-mails? 

• Dec 20 17:16:24 <root'work> spamzOrs 

• Dec 20 17:16:39 <AESCracked> I has emails to give to teh spamzOrs. 




#Ta rget 



• Dec 08 20:53:12 <Random'> Hit authorize. 

• Dec 08 20:53:13 <AESCracked> if you want to attack fox news, pm me. i 
have a user/password for their cms 

• Dec 08 20:53:15 <Satori> By attacking paypal, we ruin our reputation. I say 
we attack the payment servers secure.whatever for both paypal and visa 

• Dec 08 20:53:17 <spac> dowjones=publicity 

• Dec 08 20:53:18 <Minilogue> Vote authorize.net - 2 . We could hit visa 
Where it hurts!. 

• Dec 08 20:53:18 <montezuma> oh. 

• Dec 08 20:53:18 <WiKiLeAdEr> be intelligent not just revengeful 

• Dec 08 20:53:20 <toxology> anondesu: But the public does not see 




From #OperationPayback IRC Channel 



Dec 10 21:41:10 <mauro> dont attack media! 

Dec 10 21:41:10 <Anonl23456789> i can't get i 

Dec 10 21:41:11 <Anonl23456789> n 

Dec 10 21:41:12 * AESCracked suggests targeting FOX News 
Dec 10 21:41:13 <mib 3mwhbt> 178.63.172.193 hive is down 




From #command IRC 



Dec 08 20:53:38 <iowa> lithium it hsoul d be telling you which 
chan is +N 

Dec 08 20:53:42 <lsis> its -N now 

Dec 08 20:53:44 <iowa> leave that channel 

Dec 08 20:53:55 <ToMz> (AESCracked) *pm me for fox news 
password into their cms* 

Dec 08 20:54:04 <lsis> wtf Dec 08 20:54:10 <ToMz> wat do ^ 




#OperatonPayback 



• Dec 09 07:54:12 * EvilBoat has kicked teddde from #OperationPayback (Watch your language!) 

• Dec 09 07:54:12 <odalfe> Ibotnum 

• Dec 09 07:54:13 * EvilBoat has kicked odalfe from #OperationPayback (Watch your language!) 

• Dec 09 07:54:15 <paull> can someone pm me what has happened the last about 5 hours please Dec 09 07:54:15 
<amanikos> paypal ha 

• Dec 09 07:54:17 <AESCracked> I've already given Ops the user/pass to several FOX websites. s slowed down or is 
it me? 

• Dec 09 07:54:17 <aveit23> Ibotnum 

• Dec 09 07:54:18 * EvilBoat has kicked aveit23 from #OperationPayback (Watch your language!) 

• Dec 09 07:54:18 <ziltoid> only fire where we need to, we'll probably be jumped back to mastercard.com later 

• Dec 09 07:54:19 <Anonlolle> Fox News is just for the lulz and the white trash trailer rage 

• Dec 09 07:54:21 <JAM> Ibotnum Dec 09 07:54:21 * EvilBoat sets ban on *!*(5)IT.IN 

• Dec 09 07:54:21 * EvilBoat has kicked JAM from #OperationPayback (Watch your language!) 

• Dec 09 07:54:21 <gewgahs_> can anyone link me to instructions for hiding LOIC from my ISP? I've got plenty of 
bandwidth to spare Dec 09 07:54:21 <calatalee> >####On behalf of #propaganda please spread 
http://pastebin.com/XYSN27EK to your local news media####< Dec 09 07:54:22 <AESCracked> The backend of 
their CMS. 




#OperationPayback 



• Dec 14 15:29:46 <Raphael> works for chrome xp 

• Dec 14 15:29:49 <n3ot0xin> http://boards.808chan.org/tpb/ 

• Dec 14 15:29:50 <AESCracked> Anyone interested in defacing FOX, LA Times? 

• Dec 14 15:29:55 <Raphael> no media 

• Dec 14 15:29:58 <Snotbox> What's the point of ddosing aklagare.se? 

• Dec 14 15:29:58 <n3ot0xin> yes AES 

• Dec 14 15:30:07 <randOm> lol ... AESCracker ... you little angry man 

• Dec 14 15:30:08 <AESCracked> I have users/pass into their CMS. 

• Dec 14 15:30:10 <God> http://www.limeradio.net/listen/wmp :: Radio:Payback -- KORAX 
LIVE ON AIR 

• Dec 14 15:30:10 <God> http://www.limeradio.net/listen/wmp :: Radio:Payback -- KORAX 
LIVE ON AIR Dec 14 15:30:11 <God> http://www.limeradio.net/listen/wmp :: Radio:Payback 
- KORAX LIVE ON Al 




#OperationPayback 



Dec 10 21:43:57 <Mike3620> an example 

Dec 10 21:43:58 <JulianAssange> Julian Assange here 

Dec 10 21:43:58 <AESCracked> FOX News is not media, it's 
"infotainment" for inbreds. I say we target them. 

Dec 10 21:43:58 <stilgar> terrorist terrorist terrorist.... every 
force that has voice it's own is called terrorist by the 
establishment 




#lnternetfeds 



• Dec 09 18:31:52 * Now talking on #internetfeds 

• Dec 09 18:31:52 * Topic for #internetfeds is: Welconne. We are the Internet feds. | Everything that is 
shared here is private and nnust rennain in this channel unless stated otherwise. | 

• Dec 09 18:31:52 * Topic for #internetfeds set by xS at Thu 

• Dec 09 14:59:49 2010 Dec 09 18:31:53 * LOIC_UIRXWT gives channel operator status to iowa 

• Dec 09 18:32:01 <IOU> Can we rennove the auto invite on nny nick? 

• Dec 09 18:33:57 <AESCracked> Yet another reason the Tinnes nnust be dennolished. 

• Dec 09 18:33:57 <AESCracked> http://latinnesblogs.latinnes.conn/the_big_picture/2010/12/why-the- 
wikileakers-are-not-quite-rosa-parks.html 

• Dec 09 18:35:48 * LOIC_UIRXWT invited kayla into the channel. 

• Dec 09 18:35:54 * LOIC_UIRXWT gives channel operator status to kayla 

• Dec 09 18:36:03 <kayla> holy fucking cock :3 Dec 09 18:36:12 <kayla> i been trying for ages to get 
tonnected 

• Dec 09 18:36:24 <kayla> "MAX CONNECTION ERROR" :( 




#OperationPayback 






Dec 09 08:41:19 <pongdu> where is target? 

Dec 09 08:41:20 <ruimm> still bombarding 

Dec 09 08:41:22 <[Z]Anon> No one's annonimous here. 

Dec 09 08:41:22 <lulzzzzz> Schnecke> WHAT ? 



Dec 09 08:41:23 <anon_666> upgoat/repost --> 



vmous indvbav/i 




Dec 09 08:41:23 * PD is now known as PD 



Dec 09 08:41:24 <AESCracked> Members of the media: lama former journalist. 
Dec 09 08:41:24 <wooshka> Ihivestatus 






